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Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )^ Responsive to communication(s) filed on 26 September 2003 . 
2a)D This action is FINAL. 2b)E3 This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) KI Claim(s) 1-18 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) [3 Claim(s) 1-18 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) [x] Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)Q None of: 

1 .[3 Certified copies of the priority documents have been received. 

2.Q Certified copies of the priority documents have been received in Application No. . 

3-D Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1 . Claims 1 - 1 8 are pending and have been examined. 

Priority 

2. Receipt is acknowledged of papers submitted under 35 U.S.C. 1 19(a)-(d), which papers 
have been placed of record in the file. 

Claim Rejections - 35 USC § 102 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application 
by another who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this 
title before the invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 
1999 (AIPA) and the Intellectual Property and High Technology Technical Amendments Act of 
2002 do not apply when the reference is a U.S. patent resulting directly or indirectly from an 
international application filed before November 29, 2000. Therefore, the prior art date of the 
reference is determined under 35 U.S.C. 102(e) prior to the amendment by the AIPA (pre-AlPA 
35 U.S.C. 102(e)). 

3. Claims 1 - 18 are rejected under 35 U.S.C. 102(e) as being anticipated by Porras et al. 
in US Patent No. 6711615 (hereinafter US '615). 

4. As for claim 1 , US '61 5 discloses: 
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A communications monitoring system comprising: a communications sensor for receiving 
communications packets flowing at arbitrary points on a network; and 

a similarity calculator for calculating formal similarity between two packet streams composed of 
communications packets entering the sensor upon arrival of the communications packets, (see 
column 1 , line 52, 56 - 61 ; column 5, lines 46 - 50, 58 - 61 ; Abstract) 

For claim 2, US '615 discloses: 
The communications monitoring system according to claim 1, wherein the similarity calculator 
represents the two packet streams by graphs depicting amounts of data in communications 
packets in respective packet streams with respect to elapsed time, and calculates similarity 
between the two packet streams based on size of regions enclosed by the two graphs when the 
graphs of the packet streams are moved close to each other without intersecting each other, 
(see column 6, lines 7-15) 

For claim 3, US '615 discloses: 
The communications monitoring system according to claim 1, wherein the communications 
sensor sends out a predetermined alert according to a similarity value calculated by the 
similarity calculator, (see column 4, lines 64 - 66; column 8, lines 23 - 39, 57 - column 9, lines 
1-5) 

As for claim 4, US '615 discloses: 

A communications monitoring system comprising: a packet input means for receiving 
communications packets flowing at arbitrary points on a network; and matching means for 
performing real-time matching between two packet streams composed of communications 
packets received by the packet input means, (see column 1, line 52, 56-61; column 5, lines 46 
-50, 58-61; Abstract) 
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For claim 5, US '615 discloses: 
The communications monitoring system according to claim 4, wherein the matching means 
determines formal similarity between the two packet streams based on a time lag between each 
corresponding pair of communications packets in the two packet streams, (see column 6, lines 7 
-15) 

For claim 6, US '615 discloses: 
The communications monitoring system according to claim 5, further comprising alerting means 
for sending out a predetermined alert according to the formal similarity between the two packet 
streams determined by the matching means, (see column 4, lines 64 - 66; column 8, lines 23 - 
39, 57 - column 9, lines 1-5) 

As for claim 7, US '615 discloses: 
A communications monitoring method for monitoring data communications using a computer, 
comprising the steps of: acquiring communications packets in sequence from arbitrary points on 
a network and storing them in predetermined storage means together with information about a 
packet stream to which the communications packets belong; on reception of a predetermined 
communication packet, taking another communications packet received within a predetermined 
time before acquiring a predetermined communications packet, out of the storage means; 
determining formal similarity between the first packet stream which contains up to the acquired 
communications packet and a second packet stream to which the communications packet taken 
out of the storage means belong; and sending out a predetermined alert according to the 
determined similarity, (see column 1 , line 52, 56 - 61 ; column 5, lines 46 - 50, 58 - 61 ; 
Abstract) 

For claim 8, US '615 teaches: 
The communications monitoring method according to claim 7, wherein in the step of determining 
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the formal similarity of packet streams, the formal similarity between the two packet streams is 
determined based on a time lag between each corresponding pair of communications packets in 
the two packet streams, (see column 6, lines 7-15) 

For claim 9, US '61 5 teaches: 
The communications monitoring method according to claim 7, further comprising a step of 
discarding information used in determining the similarity of second packet streams except the 
second packet stream determined to be most similar to the first packet stream, (see column 6, 
lines 7-15; column 8, lines 23 - 39, 57 - column 9, lines 1 - 5) 

As for claim 10, US '615 teaches: 
An information processing method comprising comparing two packet streams flowing on a 
network, the step of comparing comprising the steps of: acquiring communications packets in 
sequence from arbitrary points on a network and storing them in predetermined storage means 
together with information about a packet stream to which the communications packets belong; 
on reception of a predetermined communication packet, taking another communications packet 
received within a predetermined time before acquiring a predetermined communications packet, 
out of the storage means; and performing matching between the first packet stream which 
contains up to the acquired communications packet and a second packet stream to which the 
communications packet taken out of the storage means belong, (see column 1 , line 52, 56 - 61 ; 
column 5, lines 46 - 50, 58 - 61 ; Abstract) 

For claim 1 1 , US '61 5 teaches: 
The information processing method according to claim 10, wherein in the step of performing 
matching between the packet streams, the first and second packet streams are represented by 
graphs which depict increments of sequence numbers of communications packets in respective 
packet streams with respect to elapsed time and the similarity between the two packet streams 



Application/Control Number: 10/672,342 Page 6 

Art Unit: 2132 

is calculated based on size of regions enclosed by the two graphs when the graphs of the 
packet streams are moved close to each other without intersecting each other, (see column 6, 
lines 7 -15) 

For claim 12, US '615 teaches: 
The information processing method according to claim 1 1 , wherein in the step of calculating the 
similarity between the packet streams, information used in determining the similarity is 
discarded according to time-axis lengths of the regions enclosed by the two graphs, (see 
column 6, lines 7-15; column 8, lines 23 - 39, 57 - column 9, lines 1 - 5) 

For claim 13, US '615 teaches: 
An article of manufacture comprising a computer usable medium having computer readable 
program code means embodied therein for causing communications monitoring, the computer 
readable program code means in said article of manufacture comprising computer readable 
program code means for causing a computer to effect the steps of claim 7. (see Figure 6) 

For claim 14, US '615 teaches: 
A program storage device readable by machine, tangibly embodying a program of instructions 
executable by the machine to perform method steps for communications monitoring, said 
method steps comprising the steps of claim 7. (see Figure 6) 

For claim 1 5, US '61 5 teaches: 
An article of manufacture comprising a computer usable medium having computer readable 
program code means embodied therein for causing information processing, the computer 
readable program code means in said article of manufacture comprising computer readable 
program code means for causing a computer to effect the steps of claim 10. (see Figure 6) 

For claim 1 6, US '61 5 teaches: 
A program storage device readable by machine, tangibly embodying a program of instructions 
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executable by the machine to perform method steps for information processing, said method 
steps comprising the steps of claim 10. (see Figure 6) 

For claim 17, US '615 teaches: 
A computer program product comprising a computer usable medium having computer readable 
program code means embodied therein for causing communications monitoring, the computer 
readable program code means in said computer program product comprising computer 
readable program code means for causing a computer to effect the functions of claim 1 . (see 
column 2, lines 32 - 36; Figure 6) 

For claim 1 8, US '61 5 teaches: 
A computer program product comprising a computer usable medium having computer readable 
program code means embodied therein for causing communications monitoring, the computer 
readable program code means in said computer program product comprising computer 
readable program code means for causing a computer to effect the functions of claim 4. (see 
column 2, lines 32 - 36; Figure 6) 

Conclusion 

5. The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. Judge et al. in US Patent No. 7124438 discloses a system and method for anomaly 
detection in patterns of monitored communications. Copeland, III in US PGPub No. 
20020144156 discloses network port profiling and in US PGPub No. 20030105976 teaches 
flow-based detection of network intrusions. 

6. Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Laurel Lashley whose telephone number is 571-272-0693. The examiner 
can normally be reached on Monday - Thursday, alt Fridays btw 7:30 am & 5 pm. 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron, Jr. can be reached on 571-272-3799. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Laurel Lashley 



Examiner 
Art Unit 2132 
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